General

  • Target

    Ransomware.WannaCry_Plus.zip

  • Size

    164KB

  • Sample

    240808-sxsdgsygnf

  • MD5

    0a28daa799b042d398545a291b888aea

  • SHA1

    f992593481c3bff8be22106ba2bdc164787e5be1

  • SHA256

    320b07637a6836f3f245806ede573092942ad7310e2cce43561b88ad25a982cc

  • SHA512

    ccf65ba911039edcf866c704f157f0358786872f1878952c5a101e4da6174bc647e62f3dabe6400ff59fa13625bc2123dabf7271cc82c182040ca381e4150e24

  • SSDEEP

    3072:agxwh+Srh51lfL2kLxs6/X6OOKeRw+JCT/xzBGXPU0r1geeXpIGkzBrvLEmOEB73:UHotz3uokeOvHS1d1+sNs8wbiWQ/9/v7

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 8DBD02D2AEE82E7D07AECF295DBEE8C3 and pay on a Bitcoin Wallet: XqgWm5YW5U7H1Zrr3fcrdTPDwE7DefDTxi total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 8DBD02D2AEE82E7D07AECF295DBEE8C3 this is code; you must send BTC: XqgWm5YW5U7H1Zrr3fcrdTPDwE7DefDTxi here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Targets

    • Target

      Ransomware.WannaCry_Plus.zip

    • Size

      164KB

    • MD5

      0a28daa799b042d398545a291b888aea

    • SHA1

      f992593481c3bff8be22106ba2bdc164787e5be1

    • SHA256

      320b07637a6836f3f245806ede573092942ad7310e2cce43561b88ad25a982cc

    • SHA512

      ccf65ba911039edcf866c704f157f0358786872f1878952c5a101e4da6174bc647e62f3dabe6400ff59fa13625bc2123dabf7271cc82c182040ca381e4150e24

    • SSDEEP

      3072:agxwh+Srh51lfL2kLxs6/X6OOKeRw+JCT/xzBGXPU0r1geeXpIGkzBrvLEmOEB73:UHotz3uokeOvHS1d1+sNs8wbiWQ/9/v7

    • Satana

      Ransomware family which also encrypts the system's Master Boot Record (MBR).

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks